List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: RE: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services

Prev Next

You are not authorized to post a reply.

Author

Messages

BrianB

Posts:126

09/01/2010 2:44 PM
Thanks everyone, As I have read more about 2008R2 CA's I am coming to the conclusion that I may not need to cluster the CA's, though key recovery is important. I also am now looking at using a VM. The only reason I was interested in Hardware was because VMWare does not support Windows clustering between two VM's and I wanted to have a highly available solution since it was being offered. But I have now come to realize that the CRL dist. point is more important. If I don't use clustering, there is no need to order HW. I was sent this blog posting yesterday by my TAM that gave me some points to ponder. http://blogs.technet.com/b/morello/archive/2008/07/21/to-cluster-or-not-to-cluster-cas.aspx. As far as OCSP goes... Hmmm. I have not thought about the client OS versions. I will have to read further on that. Any info you have about that to pass along would be greatly appreciated. Thanks for the help. Brian Britt Vanderbilt University \| Directory Services Specialist Nashville, TN 615-322-4676 From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Steven Griffiths Sent: Wednesday, September 01, 2010 3:26 AM To: ActiveDir.Org Subject: RE: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services Agree with all the previous posters. I've recently deployed a certificate services solution using VMware that issues certificates to several thousand computers and performance is not a problem. Keep in mind that once a certificate has been issued, the subscriber won't talk to the CA again until the certificate needs renewing, which could be a period measured in years! So after an initial period where certificates are issued, there will be long periods where activity will be minimal. I assume you'll use the server for HTTP access to the CA certificates and CRLs? If you're using 2K8 R2, are your clients recent enough (Vista or later, though a 3rd-party OCSP client exists for XP) to also use OCSP for validation? Why are you considering a clustered solution? The main reason to do so is if you are planning to use key recovery. If it is just for availability of the CA service and CRL, it is probably easier just to deploy a second server. Steve G ________________________________ From: Ken@adOpenStatic.com<mailto:Ken@adOpenStatic.com> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> Subject: RE: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services Date: Tue, 31 Aug 2010 17:01:15 +0000 +1 AD CS is unlikely to put significant load on your environment unless you have to issue several thousand certs in one go. But that would probably be an irregular event. That still makes it hard to justify in a proposal or design document. However you may be able to simulate in a simple test environment if you need performance metrics to justify in a business case or design, Cheers Ken From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder Sent: Tuesday, 31 August 2010 10:41 PM To: activedir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services If the hardware meets the minimum requirements for running R2, that scale will barely be noticed; unless you try and pulse all the enrollments at once and want them all to succeed without retrying later. Raw metal is becoming overkill for many infrastructure requirements. -- http://dloder.blogspot.com<http://dloder.blogspot.com/> -- --- On Tue, 8/31/10, Britt, Brian <brian.britt@Vanderbilt.Edu<mailto:brian.britt@Vanderbilt.Edu>> wrote: From: Britt, Brian <brian.britt@Vanderbilt.Edu<mailto:brian.britt@Vanderbilt.Edu>> Subject: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services To: "activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>" <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>> Date: Tuesday, August 31, 2010, 10:24 AM All: Does anyone use Microsoft's AD Certificate Services in their environment? I am trying to implement AD CS on 2008 R2 servers in a failover cluster. However I cannot find any documentation other than general guidelines for 2008 R2 pertaining to HW recommendations. I have the potential of issuing several thousand email, Authenticode, and smartcard certificates in my environment. Does anyone know of a document, calculation, etc explaining the sizing of a AD CS server? I need to order the hardware ASAP. Any help is much appreciated.

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] [OT] Need help with Server sizing for AD MS certificate Services

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads